SimpleSAMLSessionID cookie change after an image upload

Hi, sorry for my bad english.

I have some users that can only be logged in via simplesamlphp_auth and, when logged, have the role 'atelier'.

This is the exported configuration:

langcode: it
default_langcode: en
activate: true
mail_attr: email
unique_id: username
user_name: username
auth_source: default-sp
login_link_display_name: 'Federated login'
header_no_cache: true
role:
  population: ''
  eval_every_time: true
register_users: true
allow:
  set_drupal_pwd: false
  default_login: true
  default_login_roles:
    administrator: administrator
    editor: editor
    site_admin: site_admin
    moderation: moderation
    authenticated: '0'
    atelier: '0'
  default_login_users: '1'
logout_goto_url: ''
user_register_original: visitors_admin_approval
sync:
  mail: true
  user_name: true
autoenablesaml: false
debug: false
secure: false
httponly: false
_core:
  default_config_hash: BuLah1nwoT5oUjn6XIuKnXkjcvdt5tDIGQ6gAflOY0s

Users with the atelier role can modify 'atelier' content.

If they only modify simple fields, I have no error, but if they add an image to a field_image field, after the ajax for upload, the SimpleSAMLSessionID cookie change and the user could save, but the changes are not saved because SimplesamlSubscriber trigger the user_logout() (the $this->simplesaml->isAuthenticated() condition doesn't validate to true due to the new SimpleSAMLSessionID).

I have this problem only in production and I can not reproduce it locally.

In the local environment, the cookie is not changed after the file has been uploaded... so all works well.

The production environment has a reverse proxy (varnish) in https and the backend (drupal) runs in http, for users everything is transparently in https.

Do you have any suggestions to solve the problem or any advice to make a better debug?